b'                         U.S. Department of Agriculture\n\n                            Office of Inspector General\n                             Financial & IT Operations\n\n\n\n\n              Audit Report\n\nStatement on Auditing Standards No. 70 Report\non National Finance Center General Controls \xe2\x80\x93\n               Fiscal Year 2009\n\n\n\n\n                               Report No. 11401-30-FM\n                                      September 2009\n\x0c                       UNITED STATES DEPARTMENT OF AGRICULTURE\n                                  OFFICE OF INSPECTOR GENERAL\n\n                                       Washington D.C. 20250\n\n\n\n\nSeptember 25, 2009\n\n\n\nREPLY TO\nATTN OF:      11401-30-FM\n\nTO:           Evan Segal\n              Chief Financial Officer\n              Office of the Chief Financial Officer\n\nTHROUGH: Kathleen A. Donaldson\n         Audit Liaison Officer\n         Office of the Chief Financial Officer\n\nFROM:         Robert W. Young                       /s/\n              Assistant Inspector General\n               for Audit\n\nSUBJECT:      Statement on Auditing Standards No. 70 Report on National Finance Center\n              General Controls \xe2\x80\x93 Fiscal Year 2009\n\n\nThis report presents the results of our Statement on Auditing Standards (SAS) No. 70 audit at the\nNational Finance Center (NFC) for fiscal year 2009. The audit was conducted in accordance\nwith Government Auditing Standards issued by the Comptroller General of the United States and\nthe American Institute of Certified Public Accountants standards that are commonly referred to\nas a SAS No. 70 audit. This report contains an unqualified opinion and does not contain\nrecommendations. The projection of any conclusions based on our audit findings to future\nperiods are subject to the risk that changes may alter the validity of such conclusions. This\nreport is intended solely for the management of NFC, its customer agencies, and their auditors.\n\nWe appreciate the courtesies and cooperation extended to us during this review.\n\x0cExecutive Summary\nStatement on Auditing Standards No. 70 Report on National Finance Center General\nControls \xe2\x80\x93 Fiscal Year 2009 (Audit Report No. 11401-30-FM)\n\nResults in Brief               This report presents the results of our Statement on Auditing Standards (SAS)\n                               No. 70 audit on the U.S. Department of Agriculture\xe2\x80\x99s (USDA) National\n                               Finance Center (NFC) for fiscal year 2009. Our objectives were to perform\n                               procedures necessary to express opinions about whether (1) NFC\xe2\x80\x99s\n                               description of controls presents fairly, in all material respects, the aspects of\n                               NFC controls that may be relevant to a customer agency\xe2\x80\x99s internal control as\n                               it relates to an audit of financial statements; (2) the controls included in the\n                               description were placed in operation and suitably designed to achieve the\n                               associated control objectives, if those controls were complied with\n                               satisfactorily; and (3) the controls we tested were operating with sufficient\n                               effectiveness to provide reasonable, but not absolute, assurance that the\n                               associated control objectives were achieved during the period from July 1,\n                               2008, through June 30, 2009.\n\n                               In our opinion, NFC\xe2\x80\x99s description of controls presented fairly, in all material\n                               respects, the relevant aspects of NFC controls and controls of NFC\xe2\x80\x99s\n                               subservice organizations. Also, in our opinion, the controls included in the\n                               description were suitably designed and operating with sufficient effectiveness\n                               to provide reasonable assurance that associated control objectives would be\n                               achieved if customer agencies and subservice organizations applied the\n                               controls contemplated in the design of NFC\xe2\x80\x99s controls.\n\n                               Our examination did not extend to the control activities related to Human\n                               Capital Management System (commonly referred to as EmpowHR) that the\n                               USDA National Information Technology Center (NITC) performs for NFC.1\n\n\nRecommendations\nIn Brief                       We do not make any recommendations in this report.\n\n\n\n\n1\n  NITC control activities were evaluated in our SAS No. 70 Audit for NITC (Audit Report No. 88501-13-FM, Statement on Auditing\nStandards No. 70 Report on the National Information Technology Center General Controls Review \xe2\x80\x93 Fiscal Year 2009, issued September\n2009.)\nUSDA/OIG-A/11401-30-FM                                                                                                   Page i\n\x0cAbbreviations Used in This Report\n\n\nCIO                 Chief Information Officer\nCOOP                continuity of operations plan\nDRP                 disaster recovery plan\nEmpowHR             Human Capital Management System\nFIPS                Federal Information Processing Standard\nFPS                 Federal Protection Services\nGESD                Government Employees Services Division\nIT                  information technology\nNFC                 National Finance Center\nNITC                National Information Technology Center\nPIA                 privacy impact assessment\nPPS                 Payroll/Personnel System\nPSD                 position sensitivity designation\nSAS                 Statement on Auditing Standards\nSETS                Security Entry and Tracking System\nSSP                 system security plan\nST&E                security test and evaluation\nT&A                 time and attendance\nUSDA                U.S. Department of Agriculture\nVPN                 virtual private network\n\n\n\n\nUSDA/OIG-A/11401-30-FM                                        Page ii\n\x0cTable of Contents\n\nExecutive Summary ................................................................................................................................. i\xc2\xa0\n\nAbbreviations Used in This Report ....................................................................................................... ii\xc2\xa0\n\nReport of the Office of Inspector General ............................................................................................ 1\xc2\xa0\n\nExhibit A \xe2\x80\x93Description of Controls Prepared By National Finance Center ..................................... 3\xc2\xa0\n\nExhibit B \xe2\x80\x93 Office of Inspector General - Review of Selected Controls .......................................... 28\xc2\xa0\n\n\n\n\nUSDA/OIG-A/11401-30-FM                                                                                                                    Page iii\n\x0c                             UNITED STATES DEPARTMENT OF AGRICULTURE\n                                           OFFICE OF INSPECTOR GENERAL\n\n                                                  Washington D.C. 20250\n\n\n\n\nReport of the Office of Inspector General\nTO:      Evan Segal\n         Chief Financial Officer\n         Office of the Chief Financial Officer\n\nWe have examined the accompanying description of the controls referenced in exhibit A for the U.S.\nDepartment of Agriculture\xe2\x80\x99s (USDA) National Finance Center (NFC) and its subservice organizations\nother than the USDA National Information Technology Center (NITC). NFC uses NITC for certain\nconfiguration management, contingency planning, maintenance, media protection, physical and\nenvironmental protection, system and communication protection, and system and information integrity\ncontrol activities for its Human Capital Management System (commonly referred to as EmpowHR).\nThe accompanying description includes only the relevant control activities of NFC and its subservice\norganizations other than NITC and does not include NITC control activities. Our examination did not\nextend to NITC control activities, which were evaluated in our Statement on Auditing\nStandards No. 70 audit for NITC.2\n\nOur examination included procedures to obtain reasonable assurance about whether (1) the\naccompanying description presents fairly, in all material respects, the aspects of NFC controls and the\ncontrols of NFC subservice organizations that may be relevant to a customer agency\xe2\x80\x99s internal control\nas it relates to the audit of financial statements; (2) the controls included in the description were\nsuitably designed to achieve the control objectives specified in the description, if those controls were\ncomplied with satisfactorily and customer agencies and subservice organizations applied the controls\ncontemplated in the design of NFC\xe2\x80\x99s controls; and (3) such controls had been placed in operation as of\nJune 30, 2009. The control objectives were specified by NFC.\n\nOur audit was conducted in accordance with Government Auditing Standards issued by the\nComptroller General of the United States and the standards issued by the American Institute of\nCertified Public Accountants. Those standards require that we plan and perform the audit to obtain\nsufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based\non our audit objectives. We believe that the evidence obtained provides a reasonable basis for our\nfindings and conclusions based on our audit objectives.\n\nIn our opinion, NFC\xe2\x80\x99s description of controls in exhibit A presents fairly, in all material respects, the\nrelevant aspects of NFC controls and the controls of NFC subservice organizations that had been\nplaced in operation as of June 30, 2009. Also, in our opinion, the controls included in exhibit A were\n\n\n2\n Audit Report No. 88501-13-FM, Statement on Auditing Standards No. 70 Report on the National Information Technology Center General\nControls Review \xe2\x80\x93 Fiscal Year 2009, issued September 2009.\nUSDA/OIG-A/11401-30-FM                                                                                                   Page 1\n\x0csuitably designed to provide reasonable assurance that the specified control objectives would be\nachieved if the described controls were complied with satisfactorily and customer agencies and\nsubservice organizations applied the controls contemplated in the design of NFC\xe2\x80\x99s controls.\n\nIn addition to the procedures we considered necessary to render our opinion as expressed in the\nprevious paragraph, we applied tests to specific controls to obtain evidence about their effectiveness in\nmeeting the control objectives during the period from July 1, 2008, to June 30, 2009. The specific\ncontrols and the nature, timing, extent, and results of our tests are identified in exhibit B. This\ninformation will be provided to customer agencies of NFC and to their auditors to be taken into\nconsideration, along with information about the internal control at customer agencies, when making\nassessments of control risk for customer agencies. In our opinion, the controls tested were operating\nwith sufficient effectiveness to provide reasonable, but not absolute, assurance that the control\nobjectives specified in the description of controls were achieved during the period from July 1, 2008,\nto June 30, 2009.\n\nThe relative effectiveness and significance of specific controls at NFC and its subservice organizations,\nand their effect on assessments of control risk at customer agencies, are dependent on their interaction\nwith the controls and other factors present at individual customer agencies. We have performed no\nprocedures to evaluate the effectiveness of controls at individual customer agencies as part of this\naudit.\n\nThe description of controls at NFC and its subservice organizations is as of June 30, 2009, and\ninformation about tests of the operating effectiveness of specific controls covers the period from\nJuly 1, 2008, through June 30, 2009. Any projection of such information to the future is subject to the\nrisk that, because of change, the description may no longer portray the controls in existence. The\npotential effectiveness of specific controls at NFC and its subservice organizations is subject to\ninherent limitations and, accordingly, errors or fraud may occur and not be detected. Furthermore, the\nprojection of any conclusions, based on our findings, to future periods is subject to the risk that\nchanges may alter the validity of such conclusions. Finally, the accuracy and reliability of data\nprocessed by NFC and the resultant reports ultimately rest with the customer agency and any\ncompensating controls implemented by such agency.\n\nThis report is intended solely for the management of NFC, its customer agencies, and their auditors.\n\n/s/\n\nRobert W. Young\nAssistant Inspector General\n for Audit\n\nSeptember 17, 2009\n\n\n\n\nUSDA/OIG-A/11401-30-FM                                                                            Page 2\n\x0cThe subsequent sections of the report exhibit A (pages\n3 through 27) and exhibit B (pages 28 through 43), are\nnot being publicly released due to the sensitive security\ncontent.\n\x0c'